Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What are the assumption of it #5

Open
837951602 opened this issue Feb 10, 2017 · 7 comments
Open

What are the assumption of it #5

837951602 opened this issue Feb 10, 2017 · 7 comments
Labels
question

Comments

@837951602
Copy link
Contributor

JScrewIt turns "undefined" into "[][[]]" but undefined may be 3 while [][[]] may be 4
@fasttime
Copy link
Owner

JScrewIt assumes that predefined objects are not overwritten and that no changes are made to their prototype chains. So if we set Array.prototype[""] = 4 we are breaking that assumption.

undefined is more subtle: the global property "undefined" is not configurable and so it will always evaluate to void 0. We can shadow that value in a local scope, but then our input would no longer look like undefined, but something more complex like (undefined => undefined + 1)(3), and that evaluates to 4 as expected.

@837951602
Copy link
Contributor Author

Yet [no changes on predefined objects' prototype] may be not so universal. Is it enough that predefined prototypes remain unchanged and [][[]] be undefined?

@fasttime
Copy link
Owner

@837951602 No, that's not enough. For example, if Function.prototype.toString is overwritten, a whole bunch of things stop working.

Note though that these restrictions only apply to the time the code is loaded, not to the time the code runs. It's perfectly ok to mess up with prototypes in your screwed code or in some other code that runs after your screwed code has been loaded.

@837951602
Copy link
Contributor Author

@fasttime I meant that if a prototype is predefined(or to say, not undefined at the beginning), it's assumed to remain unchanged, thus Function.prototype.toString being destroyed doesn't fit

@fasttime
Copy link
Owner

@837951602 That's correct, but predefined objects like self, statusbar, String, etc. (and not just their prototypes) should also stay unchanged.

@837951602
Copy link
Contributor Author

Note though that these restrictions only apply to the time the code is loaded, not to the time the code runs. It's perfectly ok to mess up with prototypes in your screwed code or in some other code that runs after your screwed code has been loaded.

!a()+!a() is turned into ![].filter.constructor('return a')()()+![].filter.constructor('return a')()() but if a() destroyed [].filter the 2nd !a() won't run

@fasttime
Copy link
Owner

@837951602 this is correct, and it's because of the order the expressions are evaluated. When this happens to be a problem it can be addressed using a code type generation other than "express". There is no option for this in the UI, but it can be done in JavaScript (maybe in the browser console).

JScrewIt.encode("!a()+!a()", { runAs: "eval" }); // eval("!a()+!a()")

or if the return value is not needed

JScrewIt.encode("!a()+!a()", { runAs: "call" });

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fasttime @837951602